Tet

10 Common Web Security Threats Businesses Might Face in 2022

 / October 01, 2020

A lot of common web security threats are seriously a wake-up call for the importance of web security particularly. To raise awareness of web application security threats that businesses and individuals may face today, this article uses OWASP (Open Source Foundation for Application Security) as a reference to list top vulnerabilities on the web.

In November 2019, Hieu Minh Ngo – or notoriously known as HieuPC, a used-to-be Vietnamese hacker – was released after seven years in US jail. In a recent interview with Kreb On Security, Hieu shared the story of his criminal path. Starting with hacking the Unitec website after exploring a vulnerability there, he continued to operate other international attacks on the websites of MicroBilt, Court Ventures, and Experian. Those companies suffered severe damage from their activity of reselling stolen consumer or financial data. But, he is not the only black-hat hacker in the world.

10 Common Web Security Threats You Should Care About

1. Injection flaws

Injection flaws occur when untrustworthy input data fail to be filtered and then sent to an interpreter as a command or query. Attackers can easily detect the vulnerability when testing codes manually or using the fuzzing technique. They then might use that weakness to inject malicious codes and steal business and client data, or more seriously take over the host server. 

Among all types of injection vulnerabilities, SQL Injection is more common with a very high probability of successfully hijacking websites. Besides, other injection flaws can be found in LDAP servers, XPath, or NoSQL queries. 

Web Security Issues - SQL Injection

Prevention of this web security threats:

Simply speaking, to secure websites from injection vulnerabilities, you have to filter input data correctly, and more importantly, those data need to come from a whitelist. But you hardly ensure to properly filter all input without letting no hostile data in.

Gergely Kalman, a Spain-based security specialist, advised using filtering functions of your existing framework as they work well in scrutinizing suspect data. Meanwhile, OWASP suggests using Object Relational Mapping Tools (ORMs) or a safe Application Programming Interface (API) as, in part, a subtitle for an interpreter because an API can provide a certain parameterized interface. So this action will reduce the risk of your websites being hacked.

2. Broken Authentication

Authentication is the process of determining a user’s identity. Accordingly, this act fails when any app functions regarding authentication or session management are improperly executed. Like Injection Flaws, this vulnerability is very common. Hackers can identify it by manual means and then use automated tools to access username and password lists, consequently changing the ownership of users temporarily or permanently. Apart from identity theft, this mistake can result in money laundering, social security fraud, or loss of confidential information.

Web Security Issues - Broken Authentication

Prevention of these web security threats:

To thwart unexpected attacks, users should:

  • set up multi-factor authentication, typically two-factor authentication for Apple ID or Google Account;
  • do not give default credentials to others, especially admin users;
  • ensure their passwords (or called memorized secrets) are not weak;
  • immediately delay failed login attempts from suspects and report this issue to administrators;
  • use a secure and built-in session manager on the server side that creates a new random session ID with high entropy (unpredictable and random identity for attackers not to guess easily).

3. Sensitive Data Exposure

As the name states, the mistake occurs when sensitive data, especially regarding finance or healthcare are not properly protected, thus easily attacked. Such information should have been encrypted at rest or in transit. But it does not, in fact. Consequently, hackers can manually carry out man-in-the-middle attacks where they can secretly intercept and change the communication of two parties without their knowledge, or illegally take clear-text (or unencrypted) data out of the server.

Web Security Issues - Sensitive Data Exposure

Prevention of this web security threat:

To minimize this flaw, Gergely Kalman suggests using “HTTPS with a proper certificate and PFS (Perfect Forward Secrecy)” and stopping receiving data from non-HTTPS connections if you do not want your session keys to be compromised when delivering data over systems. 

It is advisable to classify which data are sensitive before they are processed, stored, or transmitted by an app, and then to use controls based on the classification. Also, as mentioned, all sensitive data ought to be encrypted at rest, but unnecessary data needs to be removed.

4. XML External Entities (XXE)

XML External Entities are custom entities that have values defined outside the DOCTYPE declaration. To execute XTML data, an app requires an XML processor (or XML parser). However, when such processors are poorly configured or too old-fashioned, attackers may use this gap to send hostile XML external files, which allows them to perform various attacks such as disclosure of internal files or SSRF (Server-side Request Forgery).

Web Security Issues - XXE

Prevention of this web security threat:

As many web apps now use an XML format to storage and transfer data, developers should: 

  • be trained to identify and mitigate XXE;
  • use less complex data formats (i.e. JSON) and avoid serializing sensitive data;
  • upgrade all XML parsers and libraries. 

5. Broken Access Control

This flaw arises when authenticated users can access some unauthorized functionality. For example, when a malicious user logs in to his own account on a banking app, he can change the account ID parameter to gain access to the account details of other users, or craft a request to perform an admin-level activity, like searching the user database. Accordingly, consumer data are unintentionally revealed, modified, or even compromised.

Web Security Issues - Broken Access Control

Prevention of this web security threat:

Developers should choose appropriate access control models for the design and development of web apps, and concurrently implement access control in trusted server-side code or server-less API.

6. Security Misconfiguration

To understand how the vulnerability occurs, just look at the picture. Imagine the ladder is the system; the girl is a user; the boy is an attacker, while books and football are configurations. When the boy hits the ball, the ladder will fail, involving the girl in an unexpected accident. This is obviously an inevitable result of using unsuitable ladder mounting (the football) or having a “misconfigured structure”. Similarly, like the ball, configurations of many traditional web servers still remain out-of-date and insecure, while hybrid or cloud environments change so quickly that it is challenging to build the right, secure configurations. Consequently, the flaw can allow hackers to illegally control or even compromise a system.

Web Security Issues - Security Misconfiguration

Prevention of this web security threat:

The most possible solution to fix the mistake is to have a secure development and deployment process.

7. Cross-Site Scripting (XSS)

The flaw appears when web apps receive HTML or JavaScript input tags that are not sanitized (or inspected) after victims click on script-injected links. Hijackers can use such hostile files to execute codes on the user’s browser remotely and steal their credentials and sessions. OWASP reports this problem in two-thirds of modern apps, even on three XSS forms Reflected XSS, Stored XSS, and DOM XSS.

Prevention of this web security threat:

Simply speaking, this issue can be prevented by trying not to return HTML or JavaScript tags to users. Besides, developers can use frameworks (e.g. Ruby on Rails or React.js) that automatically avoid the injection. 

8. Insecure Deserialization

Serialization is the act of converting an object to a format for later restoring, whereas deserialization is the opposite turning data obtained from files or networks into an object. When deserialization is insecure, attackers can abuse this vulnerability to inject hostile objects into a web app and implement remote code attacks on business data.

Web Security Issues - Insecure Deserialization

Prevention of this web security threat:

According to OWASP, the safest solution to the issue is not accepting serialized objects from unknown or unreliable sources. Furthermore, developers should strictly monitor the deserialization process and use a firewall to help determine the flaw.

9. Using Components with Known Vulnerabilities

Apparently, vulnerable components (e.g. frameworks, libraries, or software modules) can get exploited by attackers for bad purposes. Depending on different databases and applications, the impacts of the vulnerability can vary, from purloining private data to taking over the server.

Web Security Issues - Components with Known Vulnerabilities

Prevention of this web security threat:

Developers should follow some essential principles to minimize the risk of having the flaw, particularly: 

  • carefully check codes they write for software;
  • remove unused features, files or documents;
  • only get components from official or trustworthy sources.
FURTHER READING:
1. Short Guide to Understanding Progressive Web Apps
2. What is Drupal? 5 FAQs About Drupal You Must Know
3. Software Development Cost: What To Know

10. Insufficient Logging & Monitoring

Logging means managing logs that are event records related to a system, hence ensuring the collection of useful data. Meanwhile, monitoring helps supervise server performance and detect any intrusions. Therefore, when those actions are insufficiently implemented, they fail to record and detect unknown attacks on the database.

Web Security Issues - Insufficient Logging & Monitoring

Prevention of this web security threat:

Organizations should effectively monitor and alert suspicious activities. Similarly, any login or access control failures should be adequately recorded to identify suspects in time.

Final Thought of Common Web Security Threats

Common web security threats are an unavoidable outcome of Internet development. So not only cybersecurity engineers but also non-experts should take a web security course to protect their assets from unanticipated attacks in the future.

For more articles like this, let’s follow our Facebook, Twitter and LinkedIn!

Also published on

Share post on

TABLE OF CONTENTS

CATEGORIES

SUBSCRIBE NOW

If not form, brief us

sales@dgroup.co

Tell us on Skype

@Designveloper

Tell us about your idea

Your personal information
* THIS IS REQUIRED
What's type of your projects?
* THIS IS REQUIRED
Message
* THIS IS REQUIRED

Get in touch

Simply register below to receive our weekly newsletters with the newest blog posts